Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752300AbbK2SWA (ORCPT ); Sun, 29 Nov 2015 13:22:00 -0500 Received: from mail-pa0-f43.google.com ([209.85.220.43]:34596 "EHLO mail-pa0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751835AbbK2SV5 (ORCPT ); Sun, 29 Nov 2015 13:21:57 -0500 Date: Sun, 29 Nov 2015 10:21:50 -0800 From: Alexei Starovoitov To: Dmitry Vyukov Cc: Alexei Starovoitov , netdev , LKML , syzkaller , Kostya Serebryany , Alexander Potapenko , Eric Dumazet , Sasha Levin , daniel@iogearbox.net Subject: Re: user-controllable kmalloc size in bpf syscall Message-ID: <20151129182149.GA79352@ast-mbp.thefacebook.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 685 Lines: 18 On Sun, Nov 29, 2015 at 02:18:29PM +0100, Dmitry Vyukov wrote: > ca.key_size = 1; > ca.value_size = 0xfffffff9; > ca.max_entries = 10; > int fd = syscall(SYS_bpf, BPF_MAP_CREATE, &ca, sizeof(ca)); ... > ------------[ cut here ]------------ > WARNING: CPU: 2 PID: 11122 at mm/page_alloc.c:2989 > __alloc_pages_nodemask+0x695/0x14e0() thanks for the report. That's an integer overflow :( working on the fix. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/